While I was implementing the then-new security model for Roundup (ie. the current one I had to decide whether to have separate actions for "edit" and "create". At the time, I couldn't come up with a reason for supporting both. I think I made a mistake, and we really do need them separated.
o Registration of new users. We don't want anonymous users editing or viewing
- user records, but we do need them to be able to create one. Rego is currently broken because of this.
o Anonymous submission of issues. Again, no access to existing issues, but
- we should allow anonymous creation of them.
So I'm going to look into adding creation to the standard set of permissions.
From unknown Fri Jul 16 23:22:55 -0400 2004 From: Date: Fri, 16 Jul 2004 23:22:55 -0400 Subject: Subgroups Message-ID: <20040716092255-0400@www.mechanicalcat.net>
The idea of subgroups fits in with extending permissions. We want a way to put users into groups (maybe more than one) and issues into groups (again, maybe more than one) and only users in the same group as an issue can see the issue - or even be aware it exists. We would use this to effectively partition the tracker into client areas were company staff can see all issues but clients can only see their own. However, we could also create a product area and give all clients with an interest in the product access (maybe only view access) to the issues.
We've looked at doing this with nosy lists but it doesn't fit neatly with the security model.